diff --git a/cmd/root.go b/cmd/root.go
index cc33e61fa..70a56e3f2 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -362,10 +362,10 @@ func parseConfig(cmd *Command, conf *proxy.Config, args []string) error {
 
 	if cmd.impersonationChain != "" {
 		accts := strings.Split(cmd.impersonationChain, ",")
-		conf.ImpersonateTarget = accts[0]
+		l := len(accts)
+		conf.ImpersonateTarget = accts[l-1]
 		// Assign delegates if the chain is more than one account.
-		if l := len(accts); l > 1 {
-			conf.ImpersonateTarget = accts[l-1]
+		if l > 1 {
 			conf.ImpersonateDelegates = accts[:l-1]
 		}
 	}
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
index 184e6c7de..b5b2d2f65 100644
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@@ -231,10 +231,7 @@ func (c *Config) credentialsOpt(l cloudsql.Logger) (cloudsqlconn.Option, error)
 			impersonate.CredentialsConfig{
 				TargetPrincipal: c.ImpersonateTarget,
 				Delegates:       c.ImpersonateDelegates,
-				Scopes: []string{
-					sqladmin.CloudPlatformScope,
-					sqladmin.SqlserviceAdminScope,
-				},
+				Scopes:          []string{sqladmin.SqlserviceAdminScope},
 			},
 			iopts...,
 		)
diff --git a/tests/connection_test.go b/tests/connection_test.go
index df236459e..e216b033f 100644
--- a/tests/connection_test.go
+++ b/tests/connection_test.go
@@ -26,7 +26,6 @@ import (
 
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
-	"google.golang.org/api/sqladmin/v1"
 )
 
 const connTestTimeout = time.Minute
@@ -36,8 +35,7 @@ const connTestTimeout = time.Minute
 // that restores the original setup.
 func removeAuthEnvVar(t *testing.T) (*oauth2.Token, string, func()) {
 	ts, err := google.DefaultTokenSource(context.Background(),
-		sqladmin.CloudPlatformScope,
-		sqladmin.SqlserviceAdminScope,
+		"https://www.googleapis.com/auth/cloud-platform",
 	)
 	if err != nil {
 		t.Errorf("failed to resolve token source: %v", err)